Juniper (JUNOS) SRX – Static ‘One-to-One’ NAT

KB ID 0000995 

Problem

Setting up ‘Static NAT’ is the process of taking one of your ‘spare’ public IP addresses, and permanently mapping that public IP to a private IP address on your network.

In the example above I want to give my web sever which has an internal IP address of 192.168.1.10/24, the public IP address of 1.1.1.5/24. So if someone out on the Internet wants to view my website, they can browse to http://1.1.1.5 (or a URL that I’ve pointed to 1.1.1.5 like http://www.mywebsite.com). Then that traffic will be NATTED, on the firewall for me.

Solution

1. Create a rule-set from the ‘untrust’ zone. Then add a rule to that rule-set, that has a destination of 1.1.1.5/32, and finally set it to NAT that traffic to 192.168.1.10/32.

[box]login: root
Password: *******

— JUNOS 12.1X44-D30.4 built 2014-01-11 03:56:31 UTC

root@FW-02% cli
root@FW-02> configure
Entering configuration mode

[edit]
root@FW-02# set security nat static rule-set UNTRUST-TO-TRUST from zone untrust

[edit]
root@FW-02# set security nat static rule-set UNTRUST-TO-TRUST rule NAT-RULE-1 match destination-address 1.1.1.5/32

[edit]
root@FW-02# set security nat static rule-set UNTRUST-TO-TRUST rule NAT-RULE-1 then static-nat prefix 192.168.1.10/32

[/box]

2. Set the firewall to proxy-arp (advertise your pubic IP address with is MAC address), then add the web server to the global address book.

Note: ge-0/0/0.0 is the physical address you are advertising the new IP address from, on firewalls in a failover cluster you would use the Reth address i.e. reth0.0

[box] [edit]
root@FW-02# set security nat proxy-arp interface ge-0/0/0.0 address 1.1.1.5/32

[edit]
root@FW-02# set security address-book global address WEB-SERVER 192.168.1.10/32

[/box]

3. Allow traffic OUT from the web server. Here I’m letting out all ports, if you wanted just web traffic then use the keyword junos-http (TCP Port 80 (http)).

[box]

[edit]
root@FW-02# set security policies from-zone trust to-zone untrust policy WEB-SERVER-OUT match source-address WEB-SERVER

[edit]
root@FW-02# set security policies from-zone trust to-zone untrust policy WEB-SERVER-OUT match destination-address any

[edit]
root@FW-02# set security policies from-zone trust to-zone untrust policy WEB-SERVER-OUT match application any

[edit]
root@FW-02# set security policies from-zone trust to-zone untrust policy WEB-SERVER-OUT then permit

[/box]

4. Then allow traffic IN to the web server, (here I’m locking it down to just http).

[box] [edit]
root@FW-02# set security policies from-zone untrust to-zone trust policy WEB-SERVER-IN match source-address any

[edit]
root@FW-02# set security policies from-zone untrust to-zone trust policy WEB-SERVER-IN match destination-address WEB-SERVER

[edit]
root@FW-02# set security policies from-zone untrust to-zone trust policy WEB-SERVER-IN match application junos-http

[edit]
root@FW-02# set security policies from-zone untrust to-zone trust policy WEB-SERVER-IN then permit

[/box]

5. Save the changes.

[box][edit]
root@FW-02# commit
commit complete[/box]

Juniper Allowing Traffic To Custom Ports And Applications

1. Although Juniper have a lot of built in ‘applications’ you can allow, what if you want to create your own? Below I’ll create a custom application for Remote Desktop Protocol (TCP port 3389).

[box] [edit]
root@FW-A# set applications application APP-RDP protocol tcp

[edit]
root@FW-A# set applications application APP-RDP destination-port 3389

[/box]

2. You could now use this application in your security policies e.g.

[box] [edit]
root@FW-A#set security policies from-zone untrust to-zone trust policy TERMINAL-SERVER-IN match application APP-RDP[/box]

 

Related Articles, References, Credits, or External Links

NA

 

Linux (CentOS) Securing and Hardening SSH / Shell Access

KB ID 0000881 

Problem

The following is by no means an extensive list of everything that can be done. It’s just a run though of what I would consider ‘good practice’.

Solution

Create a user for SSH and Remove Shell access for the ‘root’ user.

1. Connect to the server via SSH or open a terminal session and su to root. Create a new user then set and confirm the new users password.

[box] useradd {username}
passwd {username} [/box]

2. Test access for your new user.

3. To make changes to shell access, you need to edit the sshd_config file, to do that I’m using the nano editor.

Note: If you do not have nano installed, run ‘yum install nano’.

[box] nano /etc/ssh/sshd_config[/box]

4. Locate PermitRootLogin and change it to no.

5. Locate the PermitRootLogin without-password”. line and comment it out (prefix it with a hash #, (or pound if you’re American).

[box] # PermitRootLogin without-password”.[/box]

Limit SSH / Shell access to particular User(s)

6. Add the following line to allow the user you create above only.

[box] AllowUsers {username}[/box]

Note: If you had multiple users, you can add them separated by a space.

Disable SSH Version 1 and Force SSH Version2

7. Ensure Protocol 2 is NOT hashed out and activation of protocol 1 IS hashed out.

Change the SSH / shell Port Number

8. SSH by default runs over TCP port 22, this is a well know port to advertise to the outside world, to change it (in this case to 2200), change the existing Port 22 line;

[box] Port 2200[/box]

Note: There is not hard and fast rule on what port to use, but for production, I would suggest a random number above 1024 but below 65535.

9. At this point close nano and save the changes, (press CTRL+W and Y to save the changes).

10. The changes will not take effect until after you have restarted the SSH service/daemon.

[box] service sshd restart[/box]

11. At this point you can check that the root user no longer has SSH / Shell access.

12. But your SSH user has.

 

Related Articles, References, Credits, or External Links

NA